1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2015 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
31 #ifdef EXPERIMENTAL_DANE
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
46 * X509_check_host provides sane certificate hostname checking, but was added
47 * to OpenSSL late, after other projects forked off the code-base. So in
48 * addition to guarding against the base version number, beware that LibreSSL
49 * does not (at this time) support this function.
51 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
52 * opt to disentangle and ask a LibreSSL user to provide glue for a third
53 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
54 * into even twistier knots. If LibreSSL gains the same API, we can just
55 * change this guard and punt the issue for a while longer.
57 #ifndef LIBRESSL_VERSION_NUMBER
58 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
59 # define EXIM_HAVE_OPENSSL_CHECKHOST
61 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
62 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
63 # define EXIM_HAVE_OPENSSL_CHECKHOST
66 # if !defined(OPENSSL_NO_ECDH)
67 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
68 # define EXIM_HAVE_ECDH
70 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
71 # define EXIM_HAVE_OPENSSL_ECDH_AUTO
72 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
77 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
78 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
82 /* Structure for collecting random data for seeding. */
84 typedef struct randstuff {
89 /* Local static variables */
91 static BOOL client_verify_callback_called = FALSE;
92 static BOOL server_verify_callback_called = FALSE;
93 static const uschar *sid_ctx = US"exim";
95 /* We have three different contexts to care about.
97 Simple case: client, `client_ctx`
98 As a client, we can be doing a callout or cut-through delivery while receiving
99 a message. So we have a client context, which should have options initialised
100 from the SMTP Transport.
103 There are two cases: with and without ServerNameIndication from the client.
104 Given TLS SNI, we can be using different keys, certs and various other
105 configuration settings, because they're re-expanded with $tls_sni set. This
106 allows vhosting with TLS. This SNI is sent in the handshake.
107 A client might not send SNI, so we need a fallback, and an initial setup too.
108 So as a server, we start out using `server_ctx`.
109 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
110 `server_sni` from `server_ctx` and then initialise settings by re-expanding
114 static SSL_CTX *client_ctx = NULL;
115 static SSL_CTX *server_ctx = NULL;
116 static SSL *client_ssl = NULL;
117 static SSL *server_ssl = NULL;
119 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
120 static SSL_CTX *server_sni = NULL;
123 static char ssl_errstring[256];
125 static int ssl_session_timeout = 200;
126 static BOOL client_verify_optional = FALSE;
127 static BOOL server_verify_optional = FALSE;
129 static BOOL reexpand_tls_files_for_sni = FALSE;
132 typedef struct tls_ext_ctx_cb {
140 uschar *file_expanded;
141 OCSP_RESPONSE *response;
144 X509_STORE *verify_store; /* non-null if status requested */
145 BOOL verify_required;
150 /* these are cached from first expand */
151 uschar *server_cipher_list;
152 /* only passed down to tls_error: */
154 const uschar * verify_cert_hostnames;
155 #ifndef DISABLE_EVENT
156 uschar * event_action;
160 /* should figure out a cleanup of API to handle state preserved per
161 implementation, for various reasons, which can be void * in the APIs.
162 For now, we hack around it. */
163 tls_ext_ctx_cb *client_static_cbinfo = NULL;
164 tls_ext_ctx_cb *server_static_cbinfo = NULL;
167 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
168 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
171 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
172 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
175 static int tls_server_stapling_cb(SSL *s, void *arg);
179 /*************************************************
181 *************************************************/
183 /* Called from lots of places when errors occur before actually starting to do
184 the TLS handshake, that is, while the session is still in clear. Always returns
185 DEFER for a server and FAIL for a client so that most calls can use "return
186 tls_error(...)" to do this processing and then give an appropriate return. A
187 single function is used for both server and client, because it is called from
188 some shared functions.
191 prefix text to include in the logged error
192 host NULL if setting up a server;
193 the connected host if setting up a client
194 msg error message or NULL if we should ask OpenSSL
196 Returns: OK/DEFER/FAIL
200 tls_error(uschar * prefix, const host_item * host, uschar * msg)
204 ERR_error_string(ERR_get_error(), ssl_errstring);
205 msg = (uschar *)ssl_errstring;
210 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s): %s",
211 host->name, host->address, prefix, msg);
216 uschar *conn_info = smtp_get_connection_info();
217 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
219 /* I'd like to get separated H= here, but too hard for now */
220 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
221 conn_info, prefix, msg);
228 /*************************************************
229 * Callback to generate RSA key *
230 *************************************************/
238 Returns: pointer to generated key
242 rsa_callback(SSL *s, int export, int keylength)
245 export = export; /* Shut picky compilers up */
246 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
247 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
250 ERR_error_string(ERR_get_error(), ssl_errstring);
251 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
263 x509_store_dump_cert_s_names(X509_STORE * store)
265 STACK_OF(X509_OBJECT) * roots= store->objs;
267 static uschar name[256];
269 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
271 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
272 if(tmp_obj->type == X509_LU_X509)
274 X509 * current_cert= tmp_obj->data.x509;
275 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
276 name[sizeof(name)-1] = '\0';
277 debug_printf(" %s\n", name);
285 #ifndef DISABLE_EVENT
287 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
288 BOOL *calledp, const BOOL *optionalp, const uschar * what)
294 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
297 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
298 old_cert = tlsp->peercert;
299 tlsp->peercert = X509_dup(cert);
300 /* NB we do not bother setting peerdn */
301 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
303 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
304 "depth=%d cert=%s: %s",
305 tlsp == &tls_out ? deliver_host_address : sender_host_address,
306 what, depth, dn, yield);
310 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
311 return 1; /* reject (leaving peercert set) */
313 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
314 "(host in tls_try_verify_hosts)\n");
316 X509_free(tlsp->peercert);
317 tlsp->peercert = old_cert;
323 /*************************************************
324 * Callback for verification *
325 *************************************************/
327 /* The SSL library does certificate verification if set up to do so. This
328 callback has the current yes/no state is in "state". If verification succeeded,
329 we set the certificate-verified flag. If verification failed, what happens
330 depends on whether the client is required to present a verifiable certificate
333 If verification is optional, we change the state to yes, but still log the
334 verification error. For some reason (it really would help to have proper
335 documentation of OpenSSL), this callback function then gets called again, this
336 time with state = 1. We must take care not to set the private verified flag on
337 the second time through.
339 Note: this function is not called if the client fails to present a certificate
340 when asked. We get here only if a certificate has been received. Handling of
341 optional verification for this case is done when requesting SSL to verify, by
342 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
344 May be called multiple times for different issues with a certificate, even
345 for a given "depth" in the certificate chain.
348 preverify_ok current yes/no state as 1/0
349 x509ctx certificate information.
350 tlsp per-direction (client vs. server) support data
351 calledp has-been-called flag
352 optionalp verification-is-optional flag
354 Returns: 0 if verification should fail, otherwise 1
358 verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
359 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
361 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
362 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
365 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
366 dn[sizeof(dn)-1] = '\0';
368 if (preverify_ok == 0)
370 log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
371 tlsp == &tls_out ? deliver_host_address : sender_host_address,
373 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
379 tlsp->peercert = X509_dup(cert); /* record failing cert */
380 return 0; /* reject */
382 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
383 "tls_try_verify_hosts)\n");
388 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
390 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
391 { /* client, wanting stapling */
392 /* Add the server cert's signing chain as the one
393 for the verification of the OCSP stapled information. */
395 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
400 #ifndef DISABLE_EVENT
401 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
402 return 0; /* reject, with peercert set */
407 const uschar * verify_cert_hostnames;
409 if ( tlsp == &tls_out
410 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
411 /* client, wanting hostname check */
414 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
415 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
416 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
418 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
419 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
422 const uschar * list = verify_cert_hostnames;
425 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
426 if ((rc = X509_check_host(cert, CCS name, 0,
427 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
428 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
433 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
434 tlsp == &tls_out ? deliver_host_address : sender_host_address);
441 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
444 log_write(0, LOG_MAIN,
445 "[%s] SSL verify error: certificate name mismatch: \"%s\"",
446 tlsp == &tls_out ? deliver_host_address : sender_host_address,
452 tlsp->peercert = X509_dup(cert); /* record failing cert */
453 return 0; /* reject */
455 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
456 "tls_try_verify_hosts)\n");
460 #ifndef DISABLE_EVENT
461 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
462 return 0; /* reject, with peercert set */
465 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
466 *calledp ? "" : " authenticated", dn);
467 if (!*calledp) tlsp->certificate_verified = TRUE;
471 return 1; /* accept, at least for this level */
475 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
477 return verify_callback(preverify_ok, x509ctx, &tls_out,
478 &client_verify_callback_called, &client_verify_optional);
482 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
484 return verify_callback(preverify_ok, x509ctx, &tls_in,
485 &server_verify_callback_called, &server_verify_optional);
489 #ifdef EXPERIMENTAL_DANE
491 /* This gets called *by* the dane library verify callback, which interposes
495 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
497 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
499 #ifndef DISABLE_EVENT
500 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
501 BOOL dummy_called, optional = FALSE;
504 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
505 dn[sizeof(dn)-1] = '\0';
507 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
508 preverify_ok ? "ok":"BAD", depth, dn);
510 #ifndef DISABLE_EVENT
511 if (verify_event(&tls_out, cert, depth, dn,
512 &dummy_called, &optional, US"DANE"))
513 return 0; /* reject, with peercert set */
516 if (preverify_ok == 1)
517 tls_out.dane_verified =
518 tls_out.certificate_verified = TRUE;
521 int err = X509_STORE_CTX_get_error(x509ctx);
523 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
524 if (err = X509_V_ERR_APPLICATION_VERIFICATION)
530 #endif /*EXPERIMENTAL_DANE*/
533 /*************************************************
534 * Information callback *
535 *************************************************/
537 /* The SSL library functions call this from time to time to indicate what they
538 are doing. We copy the string to the debugging output when TLS debugging has
550 info_callback(SSL *s, int where, int ret)
554 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
559 /*************************************************
560 * Initialize for DH *
561 *************************************************/
563 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
566 sctx The current SSL CTX (inbound or outbound)
567 dhparam DH parameter file or fixed parameter identity string
568 host connected host, if client; NULL if server
570 Returns: TRUE if OK (nothing to set up, or setup worked)
574 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
581 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
584 if (!dhexpanded || !*dhexpanded)
585 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
586 else if (dhexpanded[0] == '/')
588 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
590 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
591 host, US strerror(errno));
597 if (Ustrcmp(dhexpanded, "none") == 0)
599 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
603 if (!(pem = std_dh_prime_named(dhexpanded)))
605 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
606 host, US strerror(errno));
609 bio = BIO_new_mem_buf(CS pem, -1);
612 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
615 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
620 /* Even if it is larger, we silently return success rather than cause things
621 * to fail out, so that a too-large DH will not knock out all TLS; it's a
622 * debatable choice. */
623 if ((8*DH_size(dh)) > tls_dh_max_bits)
626 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
627 8*DH_size(dh), tls_dh_max_bits);
631 SSL_CTX_set_tmp_dh(sctx, dh);
633 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
634 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
646 /*************************************************
647 * Initialize for ECDH *
648 *************************************************/
650 /* Load parameters for ECDH encryption.
652 For now, we stick to NIST P-256 because: it's simple and easy to configure;
653 it avoids any patent issues that might bite redistributors; despite events in
654 the news and concerns over curve choices, we're not cryptographers, we're not
655 pretending to be, and this is "good enough" to be better than no support,
656 protecting against most adversaries. Given another year or two, there might
657 be sufficient clarity about a "right" way forward to let us make an informed
658 decision, instead of a knee-jerk reaction.
660 Longer-term, we should look at supporting both various named curves and
661 external files generated with "openssl ecparam", much as we do for init_dh().
662 We should also support "none" as a value, to explicitly avoid initialisation.
667 sctx The current SSL CTX (inbound or outbound)
668 host connected host, if client; NULL if server
670 Returns: TRUE if OK (nothing to set up, or setup worked)
674 init_ecdh(SSL_CTX * sctx, host_item * host)
676 #ifdef OPENSSL_NO_ECDH
685 if (host) /* No ECDH setup for clients, only for servers */
688 # ifndef EXIM_HAVE_ECDH
690 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
694 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve))
696 if (!exp_curve || !*exp_curve)
699 # ifdef EXIM_HAVE_OPENSSL_ECDH_AUTO
700 /* check if new enough library to support auto ECDH temp key parameter selection */
701 if (Ustrcmp(exp_curve, "auto") == 0)
703 DEBUG(D_tls) debug_printf(
704 "ECDH temp key parameter settings: OpenSSL 1.2+ autoselection\n");
705 SSL_CTX_set_ecdh_auto(sctx, 1);
710 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
711 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
712 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
713 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
717 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'",
723 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
725 tls_error(US"Unable to create ec curve", host, NULL);
729 /* The "tmp" in the name here refers to setting a temporary key
730 not to the stability of the interface. */
732 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
733 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL);
735 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
740 # endif /*EXIM_HAVE_ECDH*/
741 #endif /*OPENSSL_NO_ECDH*/
748 /*************************************************
749 * Load OCSP information into state *
750 *************************************************/
752 /* Called to load the server OCSP response from the given file into memory, once
753 caller has determined this is needed. Checks validity. Debugs a message
756 ASSUMES: single response, for single cert.
759 sctx the SSL_CTX* to update
760 cbinfo various parts of session state
761 expanded the filename putatively holding an OCSP response
766 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
770 OCSP_BASICRESP *basic_response;
771 OCSP_SINGLERESP *single_response;
772 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
774 unsigned long verify_flags;
775 int status, reason, i;
777 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
778 if (cbinfo->u_ocsp.server.response)
780 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
781 cbinfo->u_ocsp.server.response = NULL;
784 bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
787 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
788 cbinfo->u_ocsp.server.file_expanded);
792 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
796 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
800 status = OCSP_response_status(resp);
801 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
803 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
804 OCSP_response_status_str(status), status);
808 basic_response = OCSP_response_get1_basic(resp);
812 debug_printf("OCSP response parse error: unable to extract basic response.\n");
816 store = SSL_CTX_get_cert_store(sctx);
817 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
819 /* May need to expose ability to adjust those flags?
820 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
821 OCSP_TRUSTOTHER OCSP_NOINTERN */
823 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
827 ERR_error_string(ERR_get_error(), ssl_errstring);
828 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
833 /* Here's the simplifying assumption: there's only one response, for the
834 one certificate we use, and nothing for anything else in a chain. If this
835 proves false, we need to extract a cert id from our issued cert
836 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
837 right cert in the stack and then calls OCSP_single_get0_status()).
839 I'm hoping to avoid reworking a bunch more of how we handle state here. */
840 single_response = OCSP_resp_get0(basic_response, 0);
841 if (!single_response)
844 debug_printf("Unable to get first response from OCSP basic response.\n");
848 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
849 if (status != V_OCSP_CERTSTATUS_GOOD)
851 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
852 OCSP_cert_status_str(status), status,
853 OCSP_crl_reason_str(reason), reason);
857 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
859 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
864 cbinfo->u_ocsp.server.response = resp;
868 if (running_in_test_harness)
870 extern char ** environ;
872 for (p = USS environ; *p != NULL; p++)
873 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
875 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
876 goto supply_response;
881 #endif /*!DISABLE_OCSP*/
886 /*************************************************
887 * Expand key and cert file specs *
888 *************************************************/
890 /* Called once during tls_init and possibly again during TLS setup, for a
891 new context, if Server Name Indication was used and tls_sni was seen in
892 the certificate string.
895 sctx the SSL_CTX* to update
896 cbinfo various parts of session state
898 Returns: OK/DEFER/FAIL
902 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
906 if (cbinfo->certificate == NULL)
909 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
910 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
911 Ustrstr(cbinfo->certificate, US"tls_out_sni")
913 reexpand_tls_files_for_sni = TRUE;
915 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
918 if (expanded != NULL)
920 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
921 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
922 return tls_error(string_sprintf(
923 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
927 if (cbinfo->privatekey != NULL &&
928 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
931 /* If expansion was forced to fail, key_expanded will be NULL. If the result
932 of the expansion is an empty string, ignore it also, and assume the private
933 key is in the same file as the certificate. */
935 if (expanded && *expanded)
937 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
938 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
939 return tls_error(string_sprintf(
940 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
944 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
946 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
949 if (expanded && *expanded)
951 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
952 if ( cbinfo->u_ocsp.server.file_expanded
953 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
955 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
959 ocsp_load_response(sctx, cbinfo, expanded);
971 /*************************************************
972 * Callback to handle SNI *
973 *************************************************/
975 /* Called when acting as server during the TLS session setup if a Server Name
976 Indication extension was sent by the client.
978 API documentation is OpenSSL s_server.c implementation.
981 s SSL* of the current session
982 ad unknown (part of OpenSSL API) (unused)
983 arg Callback of "our" registered data
985 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
988 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
990 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
992 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
993 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
995 int old_pool = store_pool;
998 return SSL_TLSEXT_ERR_OK;
1000 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1001 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1003 /* Make the extension value available for expansion */
1004 store_pool = POOL_PERM;
1005 tls_in.sni = string_copy(US servername);
1006 store_pool = old_pool;
1008 if (!reexpand_tls_files_for_sni)
1009 return SSL_TLSEXT_ERR_OK;
1011 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1012 not confident that memcpy wouldn't break some internal reference counting.
1013 Especially since there's a references struct member, which would be off. */
1015 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1017 ERR_error_string(ERR_get_error(), ssl_errstring);
1018 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1019 return SSL_TLSEXT_ERR_NOACK;
1022 /* Not sure how many of these are actually needed, since SSL object
1023 already exists. Might even need this selfsame callback, for reneg? */
1025 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1026 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1027 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1028 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1029 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1030 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1032 if ( !init_dh(server_sni, cbinfo->dhparam, NULL)
1033 || !init_ecdh(server_sni, NULL)
1035 return SSL_TLSEXT_ERR_NOACK;
1037 if (cbinfo->server_cipher_list)
1038 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
1039 #ifndef DISABLE_OCSP
1040 if (cbinfo->u_ocsp.server.file)
1042 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1043 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1047 rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
1048 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
1050 /* do this after setup_certs, because this can require the certs for verifying
1051 OCSP information. */
1052 if ((rc = tls_expand_session_files(server_sni, cbinfo)) != OK)
1053 return SSL_TLSEXT_ERR_NOACK;
1055 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1056 SSL_set_SSL_CTX(s, server_sni);
1058 return SSL_TLSEXT_ERR_OK;
1060 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1065 #ifndef DISABLE_OCSP
1067 /*************************************************
1068 * Callback to handle OCSP Stapling *
1069 *************************************************/
1071 /* Called when acting as server during the TLS session setup if the client
1072 requests OCSP information with a Certificate Status Request.
1074 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1080 tls_server_stapling_cb(SSL *s, void *arg)
1082 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1083 uschar *response_der;
1084 int response_der_len;
1087 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1088 cbinfo->u_ocsp.server.response ? "have" : "lack");
1090 tls_in.ocsp = OCSP_NOT_RESP;
1091 if (!cbinfo->u_ocsp.server.response)
1092 return SSL_TLSEXT_ERR_NOACK;
1094 response_der = NULL;
1095 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1097 if (response_der_len <= 0)
1098 return SSL_TLSEXT_ERR_NOACK;
1100 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1101 tls_in.ocsp = OCSP_VFIED;
1102 return SSL_TLSEXT_ERR_OK;
1107 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1109 BIO_printf(bp, "\t%s: ", str);
1110 ASN1_GENERALIZEDTIME_print(bp, time);
1115 tls_client_stapling_cb(SSL *s, void *arg)
1117 tls_ext_ctx_cb * cbinfo = arg;
1118 const unsigned char * p;
1120 OCSP_RESPONSE * rsp;
1121 OCSP_BASICRESP * bs;
1124 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1125 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1128 /* Expect this when we requested ocsp but got none */
1129 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1130 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1132 DEBUG(D_tls) debug_printf(" null\n");
1133 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1136 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1138 tls_out.ocsp = OCSP_FAILED;
1139 if (LOGGING(tls_cipher))
1140 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1142 DEBUG(D_tls) debug_printf(" parse error\n");
1146 if(!(bs = OCSP_response_get1_basic(rsp)))
1148 tls_out.ocsp = OCSP_FAILED;
1149 if (LOGGING(tls_cipher))
1150 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1152 DEBUG(D_tls) debug_printf(" error parsing response\n");
1153 OCSP_RESPONSE_free(rsp);
1157 /* We'd check the nonce here if we'd put one in the request. */
1158 /* However that would defeat cacheability on the server so we don't. */
1160 /* This section of code reworked from OpenSSL apps source;
1161 The OpenSSL Project retains copyright:
1162 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1167 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1169 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1171 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1173 /* Use the chain that verified the server cert to verify the stapled info */
1174 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1176 if ((i = OCSP_basic_verify(bs, NULL,
1177 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1179 tls_out.ocsp = OCSP_FAILED;
1180 if (LOGGING(tls_cipher))
1181 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
1182 BIO_printf(bp, "OCSP response verify failure\n");
1183 ERR_print_errors(bp);
1184 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1188 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1191 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1192 OCSP_SINGLERESP * single;
1194 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1196 tls_out.ocsp = OCSP_FAILED;
1197 log_write(0, LOG_MAIN, "OCSP stapling "
1198 "with multiple responses not handled");
1199 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1202 single = OCSP_resp_get0(bs, 0);
1203 status = OCSP_single_get0_status(single, &reason, &rev,
1204 &thisupd, &nextupd);
1207 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1208 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1209 if (!OCSP_check_validity(thisupd, nextupd,
1210 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1212 tls_out.ocsp = OCSP_FAILED;
1213 DEBUG(D_tls) ERR_print_errors(bp);
1214 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1215 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1219 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1220 OCSP_cert_status_str(status));
1223 case V_OCSP_CERTSTATUS_GOOD:
1224 tls_out.ocsp = OCSP_VFIED;
1227 case V_OCSP_CERTSTATUS_REVOKED:
1228 tls_out.ocsp = OCSP_FAILED;
1229 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1230 reason != -1 ? "; reason: " : "",
1231 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1232 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1233 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1236 tls_out.ocsp = OCSP_FAILED;
1237 log_write(0, LOG_MAIN,
1238 "Server certificate status unknown, in OCSP stapling");
1239 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1247 OCSP_RESPONSE_free(rsp);
1250 #endif /*!DISABLE_OCSP*/
1253 /*************************************************
1254 * Initialize for TLS *
1255 *************************************************/
1257 /* Called from both server and client code, to do preliminary initialization
1258 of the library. We allocate and return a context structure.
1261 ctxp returned SSL context
1262 host connected host, if client; NULL if server
1263 dhparam DH parameter file
1264 certificate certificate file
1265 privatekey private key
1266 ocsp_file file of stapling info (server); flag for require ocsp (client)
1267 addr address if client; NULL if server (for some randomness)
1268 cbp place to put allocated callback context
1270 Returns: OK/DEFER/FAIL
1274 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1276 #ifndef DISABLE_OCSP
1279 address_item *addr, tls_ext_ctx_cb ** cbp)
1284 tls_ext_ctx_cb * cbinfo;
1286 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1287 cbinfo->certificate = certificate;
1288 cbinfo->privatekey = privatekey;
1289 #ifndef DISABLE_OCSP
1290 if ((cbinfo->is_server = host==NULL))
1292 cbinfo->u_ocsp.server.file = ocsp_file;
1293 cbinfo->u_ocsp.server.file_expanded = NULL;
1294 cbinfo->u_ocsp.server.response = NULL;
1297 cbinfo->u_ocsp.client.verify_store = NULL;
1299 cbinfo->dhparam = dhparam;
1300 cbinfo->server_cipher_list = NULL;
1301 cbinfo->host = host;
1302 #ifndef DISABLE_EVENT
1303 cbinfo->event_action = NULL;
1306 SSL_load_error_strings(); /* basic set up */
1307 OpenSSL_add_ssl_algorithms();
1309 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1310 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1311 list of available digests. */
1312 EVP_add_digest(EVP_sha256());
1315 /* Create a context.
1316 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1317 negotiation in the different methods; as far as I can tell, the only
1318 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1319 when OpenSSL is built without SSLv2 support.
1320 By disabling with openssl_options, we can let admins re-enable with the
1323 *ctxp = SSL_CTX_new((host == NULL)?
1324 SSLv23_server_method() : SSLv23_client_method());
1326 if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
1328 /* It turns out that we need to seed the random number generator this early in
1329 order to get the full complement of ciphers to work. It took me roughly a day
1330 of work to discover this by experiment.
1332 On systems that have /dev/urandom, SSL may automatically seed itself from
1333 there. Otherwise, we have to make something up as best we can. Double check
1339 gettimeofday(&r.tv, NULL);
1342 RAND_seed((uschar *)(&r), sizeof(r));
1343 RAND_seed((uschar *)big_buffer, big_buffer_size);
1344 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1347 return tls_error(US"RAND_status", host,
1348 US"unable to seed random number generator");
1351 /* Set up the information callback, which outputs if debugging is at a suitable
1354 DEBUG(D_tls) SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
1356 /* Automatically re-try reads/writes after renegotiation. */
1357 (void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
1359 /* Apply administrator-supplied work-arounds.
1360 Historically we applied just one requested option,
1361 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1362 moved to an administrator-controlled list of options to specify and
1363 grandfathered in the first one as the default value for "openssl_options".
1365 No OpenSSL version number checks: the options we accept depend upon the
1366 availability of the option value macros from OpenSSL. */
1368 okay = tls_openssl_options_parse(openssl_options, &init_options);
1370 return tls_error(US"openssl_options parsing failed", host, NULL);
1374 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1375 if (!(SSL_CTX_set_options(*ctxp, init_options)))
1376 return tls_error(string_sprintf(
1377 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1380 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1382 /* Initialize with DH parameters if supplied */
1383 /* Initialize ECDH temp key parameter selection */
1385 if ( !init_dh(*ctxp, dhparam, host)
1386 || !init_ecdh(*ctxp, host)
1390 /* Set up certificate and key (and perhaps OCSP info) */
1392 rc = tls_expand_session_files(*ctxp, cbinfo);
1393 if (rc != OK) return rc;
1395 /* If we need to handle SNI, do so */
1396 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1397 if (host == NULL) /* server */
1399 # ifndef DISABLE_OCSP
1400 /* We check u_ocsp.server.file, not server.response, because we care about if
1401 the option exists, not what the current expansion might be, as SNI might
1402 change the certificate and OCSP file in use between now and the time the
1403 callback is invoked. */
1404 if (cbinfo->u_ocsp.server.file)
1406 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
1407 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
1410 /* We always do this, so that $tls_sni is available even if not used in
1412 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1413 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
1415 # ifndef DISABLE_OCSP
1417 if(ocsp_file) /* wanting stapling */
1419 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1421 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1424 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1425 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1430 cbinfo->verify_cert_hostnames = NULL;
1432 /* Set up the RSA callback */
1434 SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
1436 /* Finally, set the timeout, and we are done */
1438 SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
1439 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1449 /*************************************************
1450 * Get name of cipher in use *
1451 *************************************************/
1454 Argument: pointer to an SSL structure for the connection
1455 buffer to use for answer
1457 pointer to number of bits for cipher
1462 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1464 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1465 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1466 the accessor functions use const in the prototype. */
1467 const SSL_CIPHER *c;
1470 ver = (const uschar *)SSL_get_version(ssl);
1472 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1473 SSL_CIPHER_get_bits(c, bits);
1475 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1476 SSL_CIPHER_get_name(c), *bits);
1478 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1483 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1485 /*XXX we might consider a list-of-certs variable for the cert chain.
1486 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1487 in list-handling functions, also consider the difference between the entire
1488 chain and the elements sent by the peer. */
1490 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1491 if (!tlsp->peercert)
1492 tlsp->peercert = SSL_get_peer_certificate(ssl);
1493 /* Beware anonymous ciphers which lead to server_cert being NULL */
1496 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1497 peerdn[bsize-1] = '\0';
1498 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1501 tlsp->peerdn = NULL;
1508 /*************************************************
1509 * Set up for verifying certificates *
1510 *************************************************/
1512 /* Called by both client and server startup
1515 sctx SSL_CTX* to initialise
1516 certs certs file or NULL
1517 crl CRL file or NULL
1518 host NULL in a server; the remote host in a client
1519 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1520 otherwise passed as FALSE
1521 cert_vfy_cb Callback function for certificate verification
1523 Returns: OK/DEFER/FAIL
1527 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1528 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
1530 uschar *expcerts, *expcrl;
1532 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1535 if (expcerts != NULL && *expcerts != '\0')
1537 if (Ustrcmp(expcerts, "system") == 0)
1539 /* Tell the library to use its compiled-in location for the system default
1542 if (!SSL_CTX_set_default_verify_paths(sctx))
1543 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1547 struct stat statbuf;
1549 /* Tell the library to use its compiled-in location for the system default
1550 CA bundle. Those given by the exim config are additional to these */
1552 if (!SSL_CTX_set_default_verify_paths(sctx))
1553 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1555 if (Ustat(expcerts, &statbuf) < 0)
1557 log_write(0, LOG_MAIN|LOG_PANIC,
1558 "failed to stat %s for certificates", expcerts);
1564 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1565 { file = NULL; dir = expcerts; }
1567 { file = expcerts; dir = NULL; }
1569 /* If a certificate file is empty, the next function fails with an
1570 unhelpful error message. If we skip it, we get the correct behaviour (no
1571 certificates are recognized, but the error message is still misleading (it
1572 says no certificate was supplied.) But this is better. */
1574 if ( (!file || statbuf.st_size > 0)
1575 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1576 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1578 /* Load the list of CAs for which we will accept certs, for sending
1579 to the client. This is only for the one-file tls_verify_certificates
1581 If a list isn't loaded into the server, but
1582 some verify locations are set, the server end appears to make
1583 a wildcard reqest for client certs.
1584 Meanwhile, the client library as deafult behaviour *ignores* the list
1585 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1586 Because of this, and that the dir variant is likely only used for
1587 the public-CA bundle (not for a private CA), not worth fixing.
1591 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1593 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1594 sk_X509_NAME_num(names));
1595 SSL_CTX_set_client_CA_list(sctx, names);
1600 /* Handle a certificate revocation list. */
1602 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1604 /* This bit of code is now the version supplied by Lars Mainka. (I have
1605 * merely reformatted it into the Exim code style.)
1607 * "From here I changed the code to add support for multiple crl's
1608 * in pem format in one file or to support hashed directory entries in
1609 * pem format instead of a file. This method now uses the library function
1610 * X509_STORE_load_locations to add the CRL location to the SSL context.
1611 * OpenSSL will then handle the verify against CA certs and CRLs by
1612 * itself in the verify callback." */
1614 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1615 if (expcrl != NULL && *expcrl != 0)
1617 struct stat statbufcrl;
1618 if (Ustat(expcrl, &statbufcrl) < 0)
1620 log_write(0, LOG_MAIN|LOG_PANIC,
1621 "failed to stat %s for certificates revocation lists", expcrl);
1626 /* is it a file or directory? */
1628 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1629 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1633 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1639 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1641 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1642 return tls_error(US"X509_STORE_load_locations", host, NULL);
1644 /* setting the flags to check against the complete crl chain */
1646 X509_STORE_set_flags(cvstore,
1647 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1651 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1653 /* If verification is optional, don't fail if no certificate */
1655 SSL_CTX_set_verify(sctx,
1656 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1665 /*************************************************
1666 * Start a TLS session in a server *
1667 *************************************************/
1669 /* This is called when Exim is running as a server, after having received
1670 the STARTTLS command. It must respond to that command, and then negotiate
1674 require_ciphers allowed ciphers
1676 Returns: OK on success
1677 DEFER for errors before the start of the negotiation
1678 FAIL for errors during the negotation; the server can't
1683 tls_server_start(const uschar *require_ciphers)
1687 tls_ext_ctx_cb *cbinfo;
1688 static uschar peerdn[256];
1689 static uschar cipherbuf[256];
1691 /* Check for previous activation */
1693 if (tls_in.active >= 0)
1695 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1696 smtp_printf("554 Already in TLS\r\n");
1700 /* Initialize the SSL library. If it fails, it will already have logged
1703 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1704 #ifndef DISABLE_OCSP
1707 NULL, &server_static_cbinfo);
1708 if (rc != OK) return rc;
1709 cbinfo = server_static_cbinfo;
1711 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1714 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1715 were historically separated by underscores. So that I can use either form in my
1716 tests, and also for general convenience, we turn underscores into hyphens here.
1719 if (expciphers != NULL)
1721 uschar *s = expciphers;
1722 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1723 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1724 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1725 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1726 cbinfo->server_cipher_list = expciphers;
1729 /* If this is a host for which certificate verification is mandatory or
1730 optional, set up appropriately. */
1732 tls_in.certificate_verified = FALSE;
1733 #ifdef EXPERIMENTAL_DANE
1734 tls_in.dane_verified = FALSE;
1736 server_verify_callback_called = FALSE;
1738 if (verify_check_host(&tls_verify_hosts) == OK)
1740 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1741 FALSE, verify_callback_server);
1742 if (rc != OK) return rc;
1743 server_verify_optional = FALSE;
1745 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1747 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1748 TRUE, verify_callback_server);
1749 if (rc != OK) return rc;
1750 server_verify_optional = TRUE;
1753 /* Prepare for new connection */
1755 if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1757 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1759 * With the SSL_clear(), we get strange interoperability bugs with
1760 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1761 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1763 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1764 * session shutdown. In this case, we have a brand new object and there's no
1765 * obvious reason to immediately clear it. I'm guessing that this was
1766 * originally added because of incomplete initialisation which the clear fixed,
1767 * in some historic release.
1770 /* Set context and tell client to go ahead, except in the case of TLS startup
1771 on connection, where outputting anything now upsets the clients and tends to
1772 make them disconnect. We need to have an explicit fflush() here, to force out
1773 the response. Other smtp_printf() calls do not need it, because in non-TLS
1774 mode, the fflush() happens when smtp_getc() is called. */
1776 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1777 if (!tls_in.on_connect)
1779 smtp_printf("220 TLS go ahead\r\n");
1783 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1784 that the OpenSSL library doesn't. */
1786 SSL_set_wfd(server_ssl, fileno(smtp_out));
1787 SSL_set_rfd(server_ssl, fileno(smtp_in));
1788 SSL_set_accept_state(server_ssl);
1790 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1792 sigalrm_seen = FALSE;
1793 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1794 rc = SSL_accept(server_ssl);
1799 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1800 if (ERR_get_error() == 0)
1801 log_write(0, LOG_MAIN,
1802 "TLS client disconnected cleanly (rejected our certificate?)");
1806 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1808 /* TLS has been set up. Adjust the input functions to read via TLS,
1809 and initialize things. */
1811 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
1813 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1814 tls_in.cipher = cipherbuf;
1819 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
1820 debug_printf("Shared ciphers: %s\n", buf);
1823 /* Record the certificate we presented */
1825 X509 * crt = SSL_get_certificate(server_ssl);
1826 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1829 /* Only used by the server-side tls (tls_in), including tls_getc.
1830 Client-side (tls_out) reads (seem to?) go via
1831 smtp_read_response()/ip_recv().
1832 Hence no need to duplicate for _in and _out.
1834 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1835 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1836 ssl_xfer_eof = ssl_xfer_error = 0;
1838 receive_getc = tls_getc;
1839 receive_ungetc = tls_ungetc;
1840 receive_feof = tls_feof;
1841 receive_ferror = tls_ferror;
1842 receive_smtp_buffered = tls_smtp_buffered;
1844 tls_in.active = fileno(smtp_out);
1852 tls_client_basic_ctx_init(SSL_CTX * ctx,
1853 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
1857 /* stick to the old behaviour for compatibility if tls_verify_certificates is
1858 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1859 the specified host patterns if one of them is defined */
1861 if ( ( !ob->tls_verify_hosts
1862 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1864 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
1866 client_verify_optional = FALSE;
1867 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
1868 client_verify_optional = TRUE;
1872 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1873 ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
1876 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
1878 cbinfo->verify_cert_hostnames =
1880 string_domain_utf8_to_alabel(host->name, NULL);
1884 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1885 cbinfo->verify_cert_hostnames);
1891 #ifdef EXPERIMENTAL_DANE
1893 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
1897 const char * hostnames[2] = { CS host->name, NULL };
1900 if (DANESSL_init(ssl, NULL, hostnames) != 1)
1901 return tls_error(US"hostnames load", host, NULL);
1903 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1905 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1906 ) if (rr->type == T_TLSA)
1908 uschar * p = rr->data;
1909 uint8_t usage, selector, mtype;
1910 const char * mdname;
1914 /* Only DANE-TA(2) and DANE-EE(3) are supported */
1915 if (usage != 2 && usage != 3) continue;
1922 default: continue; /* Only match-types 0, 1, 2 are supported */
1923 case 0: mdname = NULL; break;
1924 case 1: mdname = "sha256"; break;
1925 case 2: mdname = "sha512"; break;
1929 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
1932 case 0: /* action not taken */
1933 return tls_error(US"tlsa load", host, NULL);
1937 tls_out.tlsa_usage |= 1<<usage;
1943 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
1946 #endif /*EXPERIMENTAL_DANE*/
1950 /*************************************************
1951 * Start a TLS session in a client *
1952 *************************************************/
1954 /* Called from the smtp transport after STARTTLS has been accepted.
1957 fd the fd of the connection
1958 host connected host (for messages)
1959 addr the first address
1960 tb transport (always smtp)
1961 tlsa_dnsa tlsa lookup, if DANE, else null
1963 Returns: OK on success
1964 FAIL otherwise - note that tls_error() will not give DEFER
1965 because this is not a server
1969 tls_client_start(int fd, host_item *host, address_item *addr,
1970 transport_instance *tb
1971 #ifdef EXPERIMENTAL_DANE
1972 , dns_answer * tlsa_dnsa
1976 smtp_transport_options_block * ob =
1977 (smtp_transport_options_block *)tb->options_block;
1978 static uschar peerdn[256];
1979 uschar * expciphers;
1981 static uschar cipherbuf[256];
1983 #ifndef DISABLE_OCSP
1984 BOOL request_ocsp = FALSE;
1985 BOOL require_ocsp = FALSE;
1988 #ifdef EXPERIMENTAL_DANE
1989 tls_out.tlsa_usage = 0;
1992 #ifndef DISABLE_OCSP
1994 # ifdef EXPERIMENTAL_DANE
1996 && ob->hosts_request_ocsp[0] == '*'
1997 && ob->hosts_request_ocsp[1] == '\0'
2000 /* Unchanged from default. Use a safer one under DANE */
2001 request_ocsp = TRUE;
2002 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2003 " {= {4}{$tls_out_tlsa_usage}} } "
2009 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
2010 request_ocsp = TRUE;
2012 # ifdef EXPERIMENTAL_DANE
2016 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2020 rc = tls_init(&client_ctx, host, NULL,
2021 ob->tls_certificate, ob->tls_privatekey,
2022 #ifndef DISABLE_OCSP
2023 (void *)(long)request_ocsp,
2025 addr, &client_static_cbinfo);
2026 if (rc != OK) return rc;
2028 tls_out.certificate_verified = FALSE;
2029 client_verify_callback_called = FALSE;
2031 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2035 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2036 are separated by underscores. So that I can use either form in my tests, and
2037 also for general convenience, we turn underscores into hyphens here. */
2039 if (expciphers != NULL)
2041 uschar *s = expciphers;
2042 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2043 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2044 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
2045 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
2048 #ifdef EXPERIMENTAL_DANE
2051 SSL_CTX_set_verify(client_ctx,
2052 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2053 verify_callback_client_dane);
2055 if (!DANESSL_library_init())
2056 return tls_error(US"library init", host, NULL);
2057 if (DANESSL_CTX_init(client_ctx) <= 0)
2058 return tls_error(US"context init", host, NULL);
2064 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
2068 if ((client_ssl = SSL_new(client_ctx)) == NULL)
2069 return tls_error(US"SSL_new", host, NULL);
2070 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2071 SSL_set_fd(client_ssl, fd);
2072 SSL_set_connect_state(client_ssl);
2076 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
2078 if (tls_out.sni == NULL)
2080 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2082 else if (!Ustrlen(tls_out.sni))
2086 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2087 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2088 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
2091 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
2097 #ifdef EXPERIMENTAL_DANE
2099 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa)) != OK)
2103 #ifndef DISABLE_OCSP
2104 /* Request certificate status at connection-time. If the server
2105 does OCSP stapling we will get the callback (set in tls_init()) */
2106 # ifdef EXPERIMENTAL_DANE
2110 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2111 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2113 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2114 this means we avoid the OCSP request, we wasted the setup
2115 cost in tls_init(). */
2116 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2117 request_ocsp = require_ocsp
2118 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2125 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
2126 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2127 tls_out.ocsp = OCSP_NOT_RESP;
2131 #ifndef DISABLE_EVENT
2132 client_static_cbinfo->event_action = tb->event_action;
2135 /* There doesn't seem to be a built-in timeout on connection. */
2137 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2138 sigalrm_seen = FALSE;
2139 alarm(ob->command_timeout);
2140 rc = SSL_connect(client_ssl);
2143 #ifdef EXPERIMENTAL_DANE
2145 DANESSL_cleanup(client_ssl);
2149 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
2151 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2153 peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
2155 construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2156 tls_out.cipher = cipherbuf;
2158 /* Record the certificate we presented */
2160 X509 * crt = SSL_get_certificate(client_ssl);
2161 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2164 tls_out.active = fd;
2172 /*************************************************
2173 * TLS version of getc *
2174 *************************************************/
2176 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2177 it refills the buffer via the SSL reading function.
2180 Returns: the next character or EOF
2182 Only used by the server-side TLS.
2188 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2193 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2194 ssl_xfer_buffer, ssl_xfer_buffer_size);
2196 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2197 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
2198 error = SSL_get_error(server_ssl, inbytes);
2201 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2202 closed down, not that the socket itself has been closed down. Revert to
2203 non-SSL handling. */
2205 if (error == SSL_ERROR_ZERO_RETURN)
2207 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2209 receive_getc = smtp_getc;
2210 receive_ungetc = smtp_ungetc;
2211 receive_feof = smtp_feof;
2212 receive_ferror = smtp_ferror;
2213 receive_smtp_buffered = smtp_buffered;
2215 SSL_free(server_ssl);
2219 tls_in.cipher = NULL;
2220 tls_in.peerdn = NULL;
2226 /* Handle genuine errors */
2228 else if (error == SSL_ERROR_SSL)
2230 ERR_error_string(ERR_get_error(), ssl_errstring);
2231 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2236 else if (error != SSL_ERROR_NONE)
2238 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2243 #ifndef DISABLE_DKIM
2244 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2246 ssl_xfer_buffer_hwm = inbytes;
2247 ssl_xfer_buffer_lwm = 0;
2250 /* Something in the buffer; return next uschar */
2252 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2257 /*************************************************
2258 * Read bytes from TLS channel *
2259 *************************************************/
2266 Returns: the number of bytes read
2267 -1 after a failed read
2269 Only used by the client-side TLS.
2273 tls_read(BOOL is_server, uschar *buff, size_t len)
2275 SSL *ssl = is_server ? server_ssl : client_ssl;
2279 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2280 buff, (unsigned int)len);
2282 inbytes = SSL_read(ssl, CS buff, len);
2283 error = SSL_get_error(ssl, inbytes);
2285 if (error == SSL_ERROR_ZERO_RETURN)
2287 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2290 else if (error != SSL_ERROR_NONE)
2302 /*************************************************
2303 * Write bytes down TLS channel *
2304 *************************************************/
2308 is_server channel specifier
2312 Returns: the number of bytes after a successful write,
2313 -1 after a failed write
2315 Used by both server-side and client-side TLS.
2319 tls_write(BOOL is_server, const uschar *buff, size_t len)
2324 SSL *ssl = is_server ? server_ssl : client_ssl;
2326 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
2329 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2330 outbytes = SSL_write(ssl, CS buff, left);
2331 error = SSL_get_error(ssl, outbytes);
2332 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2336 ERR_error_string(ERR_get_error(), ssl_errstring);
2337 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2340 case SSL_ERROR_NONE:
2345 case SSL_ERROR_ZERO_RETURN:
2346 log_write(0, LOG_MAIN, "SSL channel closed on write");
2349 case SSL_ERROR_SYSCALL:
2350 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2351 sender_fullhost ? sender_fullhost : US"<unknown>",
2355 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2364 /*************************************************
2365 * Close down a TLS session *
2366 *************************************************/
2368 /* This is also called from within a delivery subprocess forked from the
2369 daemon, to shut down the TLS library, without actually doing a shutdown (which
2370 would tamper with the SSL session in the parent process).
2372 Arguments: TRUE if SSL_shutdown is to be called
2375 Used by both server-side and client-side TLS.
2379 tls_close(BOOL is_server, BOOL shutdown)
2381 SSL **sslp = is_server ? &server_ssl : &client_ssl;
2382 int *fdp = is_server ? &tls_in.active : &tls_out.active;
2384 if (*fdp < 0) return; /* TLS was not active */
2388 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
2389 SSL_shutdown(*sslp);
2401 /*************************************************
2402 * Let tls_require_ciphers be checked at startup *
2403 *************************************************/
2405 /* The tls_require_ciphers option, if set, must be something which the
2408 Returns: NULL on success, or error message
2412 tls_validate_require_cipher(void)
2415 uschar *s, *expciphers, *err;
2417 /* this duplicates from tls_init(), we need a better "init just global
2418 state, for no specific purpose" singleton function of our own */
2420 SSL_load_error_strings();
2421 OpenSSL_add_ssl_algorithms();
2422 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2423 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
2424 list of available digests. */
2425 EVP_add_digest(EVP_sha256());
2428 if (!(tls_require_ciphers && *tls_require_ciphers))
2431 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2432 return US"failed to expand tls_require_ciphers";
2434 if (!(expciphers && *expciphers))
2437 /* normalisation ripped from above */
2439 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2443 ctx = SSL_CTX_new(SSLv23_server_method());
2446 ERR_error_string(ERR_get_error(), ssl_errstring);
2447 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2451 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2453 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2455 ERR_error_string(ERR_get_error(), ssl_errstring);
2456 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2467 /*************************************************
2468 * Report the library versions. *
2469 *************************************************/
2471 /* There have historically been some issues with binary compatibility in
2472 OpenSSL libraries; if Exim (like many other applications) is built against
2473 one version of OpenSSL but the run-time linker picks up another version,
2474 it can result in serious failures, including crashing with a SIGSEGV. So
2475 report the version found by the compiler and the run-time version.
2477 Note: some OS vendors backport security fixes without changing the version
2478 number/string, and the version date remains unchanged. The _build_ date
2479 will change, so we can more usefully assist with version diagnosis by also
2480 reporting the build date.
2482 Arguments: a FILE* to print the results to
2487 tls_version_report(FILE *f)
2489 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2492 OPENSSL_VERSION_TEXT,
2493 SSLeay_version(SSLEAY_VERSION),
2494 SSLeay_version(SSLEAY_BUILT_ON));
2495 /* third line is 38 characters for the %s and the line is 73 chars long;
2496 the OpenSSL output includes a "built on: " prefix already. */
2502 /*************************************************
2503 * Random number generation *
2504 *************************************************/
2506 /* Pseudo-random number generation. The result is not expected to be
2507 cryptographically strong but not so weak that someone will shoot themselves
2508 in the foot using it as a nonce in input in some email header scheme or
2509 whatever weirdness they'll twist this into. The result should handle fork()
2510 and avoid repeating sequences. OpenSSL handles that for us.
2514 Returns a random number in range [0, max-1]
2518 vaguely_random_number(int max)
2522 static pid_t pidlast = 0;
2525 uschar smallbuf[sizeof(r)];
2531 if (pidnow != pidlast)
2533 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2534 is unique for each thread", this doesn't apparently apply across processes,
2535 so our own warning from vaguely_random_number_fallback() applies here too.
2536 Fix per PostgreSQL. */
2542 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2546 gettimeofday(&r.tv, NULL);
2549 RAND_seed((uschar *)(&r), sizeof(r));
2551 /* We're after pseudo-random, not random; if we still don't have enough data
2552 in the internal PRNG then our options are limited. We could sleep and hope
2553 for entropy to come along (prayer technique) but if the system is so depleted
2554 in the first place then something is likely to just keep taking it. Instead,
2555 we'll just take whatever little bit of pseudo-random we can still manage to
2558 needed_len = sizeof(r);
2559 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2560 asked for a number less than 10. */
2561 for (r = max, i = 0; r; ++i)
2567 /* We do not care if crypto-strong */
2568 i = RAND_pseudo_bytes(smallbuf, needed_len);
2572 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2573 return vaguely_random_number_fallback(max);
2577 for (p = smallbuf; needed_len; --needed_len, ++p)
2583 /* We don't particularly care about weighted results; if someone wants
2584 smooth distribution and cares enough then they should submit a patch then. */
2591 /*************************************************
2592 * OpenSSL option parse *
2593 *************************************************/
2595 /* Parse one option for tls_openssl_options_parse below
2598 name one option name
2599 value place to store a value for it
2600 Returns success or failure in parsing
2603 struct exim_openssl_option {
2607 /* We could use a macro to expand, but we need the ifdef and not all the
2608 options document which version they were introduced in. Policylet: include
2609 all options unless explicitly for DTLS, let the administrator choose which
2612 This list is current as of:
2614 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2616 static struct exim_openssl_option exim_openssl_options[] = {
2617 /* KEEP SORTED ALPHABETICALLY! */
2619 { US"all", SSL_OP_ALL },
2621 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2622 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2624 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2625 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2627 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2628 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2630 #ifdef SSL_OP_EPHEMERAL_RSA
2631 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2633 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
2634 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2636 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2637 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2639 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2640 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2642 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2643 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2645 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2646 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2648 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2649 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2651 #ifdef SSL_OP_NO_COMPRESSION
2652 { US"no_compression", SSL_OP_NO_COMPRESSION },
2654 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2655 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2657 #ifdef SSL_OP_NO_SSLv2
2658 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2660 #ifdef SSL_OP_NO_SSLv3
2661 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2663 #ifdef SSL_OP_NO_TICKET
2664 { US"no_ticket", SSL_OP_NO_TICKET },
2666 #ifdef SSL_OP_NO_TLSv1
2667 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2669 #ifdef SSL_OP_NO_TLSv1_1
2670 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
2671 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2672 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2674 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2677 #ifdef SSL_OP_NO_TLSv1_2
2678 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2680 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2681 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2683 #ifdef SSL_OP_SINGLE_DH_USE
2684 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
2686 #ifdef SSL_OP_SINGLE_ECDH_USE
2687 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
2689 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
2690 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
2692 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
2693 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
2695 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
2696 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
2698 #ifdef SSL_OP_TLS_D5_BUG
2699 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
2701 #ifdef SSL_OP_TLS_ROLLBACK_BUG
2702 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
2705 static int exim_openssl_options_size =
2706 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2710 tls_openssl_one_option_parse(uschar *name, long *value)
2713 int last = exim_openssl_options_size;
2714 while (last > first)
2716 int middle = (first + last)/2;
2717 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2720 *value = exim_openssl_options[middle].value;
2734 /*************************************************
2735 * OpenSSL option parsing logic *
2736 *************************************************/
2738 /* OpenSSL has a number of compatibility options which an administrator might
2739 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2740 we look like log_selector.
2743 option_spec the administrator-supplied string of options
2744 results ptr to long storage for the options bitmap
2745 Returns success or failure
2749 tls_openssl_options_parse(uschar *option_spec, long *results)
2754 BOOL adding, item_parsed;
2757 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
2758 * from default because it increases BEAST susceptibility. */
2759 #ifdef SSL_OP_NO_SSLv2
2760 result |= SSL_OP_NO_SSLv2;
2763 if (option_spec == NULL)
2769 for (s=option_spec; *s != '\0'; /**/)
2771 while (isspace(*s)) ++s;
2774 if (*s != '+' && *s != '-')
2776 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
2777 "+ or - expected but found \"%s\"\n", s);
2780 adding = *s++ == '+';
2781 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2784 item_parsed = tls_openssl_one_option_parse(s, &item);
2787 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
2790 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2791 adding ? "adding" : "removing", result, item, s);
2806 /* End of tls-openssl.c */